CVE-2026-1588

Name of the Vulnerable Software and Affected Versions jishenghua jshERP versions prior to 3.6

Description A path traversal issue exists in the install function of the /jshERP-boot/plugin/installByPath file within the com.gitee.starblues.integration.operator.DefaultPluginOperator component. Manipulation of the path argument can lead to path traversal. This issue is potentially exploitable remotely. The exploit has been publicly released. The project maintainers were notified but have not yet responded.

Recommendations Versions prior to 3.6: Update to a newer version to address the vulnerability. As a temporary workaround, restrict access to the /jshERP-boot/plugin/installByPath endpoint. Avoid using untrusted input for the path parameter.